<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-CN" />
<link href="../style/css/manual-zip.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-zip-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<title>SSL/TLS高强度加密：兼容性 － Apache 2.2 中文手册 [金步国]</title>
<script> var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?d286c55b63a3c54a1e43d10d4c203e75"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script>
</head>
<body id="manual-page"><div id="page-header">
<p class="menu"><a href="../mod/index.html">模块索引</a> | <a href="../mod/directives.html">指令索引</a> | <a href="../faq/index.html">常见问题</a> | <a href="../glossary.html">词汇表</a> | <a href="../sitemap.html">站点导航</a></p><p class="apache">Apache HTTP Server 版本2.2</p><img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="index.html"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path"><a href="https://www.apache.org/">Apache</a> &gt; <a href="https://httpd.apache.org/">HTTP Server</a> &gt; <a href="https://httpd.apache.org/docs/">文档</a> &gt; <a href="../index.html">版本2.2</a> &gt; <a href="index.html">SSL/TLS</a></div>

<div id="translation-info">　　 <a href="../translator_announcement.html#thanks">致谢</a> | 本篇译者：<a href="../../../index.html">金步国</a>(<a href="../../../index.html">作品集</a>) | 本页最后更新：2006年10月20日</div>
<div id="page-content"><div id="preamble"><h1>SSL/TLS高强度加密：兼容性</h1>


<blockquote>
<p>所有PC都是兼容的。但是其中一些比另一些更兼容。</p>
<p class="cite">-- <cite>无名氏</cite></p>
</blockquote>

<p>
本文讨论对其他SSL方案的向下兼容性。mod_ssl并不是Apache唯一存在的SSL方案，另外还有四种主要的产品：Ben Laurie的免费的<a href="http://www.apache-ssl.org/">Apache-SSL</a>(出现在1998年，与mod_ssl同源)，RedHat商业化的<a href="http://www.redhat.com/products/product-details.phtml?id=rhsa">Secure Web
Server</a>(基于mod_ssl)，Covalent商业化的<a href="http://raven.covalent.net/">Raven SSL Module</a>(同样基于mod_ssl)和C2Net的商业化产品<a href="http://www.c2.net/products/stronghold/">Stronghold</a>(直到Stringhold2.x都基于一个不同的演化分支Sioux，从Stronghold3.x起基于mod_ssl)。</p>

<p>使用mod_ssl的原因是，mod_ssl几乎提供了在大多数情况下能够兼容其他方案的功能的超集。事实上，兼容性包括三个方面：配置指令、环境变量和自定义日志功能。</p>
</div>
	<div class="top"><a href="ssl_compat.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="configuration" id="configuration">配置指令</a></h2>
<p>为了兼容SSL方案的配置指令，我们做了一个简单的对应：有直接对应的指令则简单对应，没有直接对应的指令则会在日志文件中产生警告信息。<a href="ssl_compat.html#table1">表1</a>列出已实现对应的指令。目前仅对Apache-SSL1.x和mod_ssl2.0.x有完整的向下兼容支持，而仅支持Sioux1.x和Stronghold2.x的一部分，由于其接口中的特殊功能mod_ssl目前尚不支持。</p>


<h3><a name="table1" id="table1">表1: 配置指令的对应</a></h3>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA">
<tr class="header"><th>旧指令</th><th>mod_ssl指令</th><th>说明</th></tr>
<tr class="header"><th colspan="3">Apache-SSL 1.x &amp; mod_ssl 2.0.x 兼容性:</th></tr>
<tr><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>已强化</td></tr>
<tr class="odd"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>已强化</td></tr>
<tr><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>已强化</td></tr>
<tr class="odd"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>被更名</td></tr>
<tr><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>",
...}</code></td><td>无显著改变</td></tr>
<tr class="odd"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>",
...})</code></td><td>无显著改变</td></tr>
<tr><td><code>SSLFakeBasicAuth</code></td><td><code>SSLOptions +FakeBasicAuth</code></td><td>被合并</td></tr>
<tr class="odd"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>已废除</td></tr>
<tr><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>已废除</td></tr>
<tr class="header"><th colspan="3">Apache-SSL 1.x 兼容性:</th></tr>
<tr class="odd"><td><code>SSLExportClientCertificates</code></td><td><code>SSLOptions +ExportCertData</code></td><td>被合并</td></tr>
<tr><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr class="header"><th colspan="3">Sioux 1.x 兼容性:</th></tr>
<tr class="odd"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>被更名</td></tr>
<tr><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>被更名</td></tr>
<tr><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>被更名</td></tr>
<tr><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>被更名</td></tr>
<tr><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>没有直接的对应；使用：SSLPassPhraseDialog</td></tr>
<tr><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>没有直接的对应；使用：SSLSessionCache</td></tr>
<tr class="odd"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>没有直接的对应；使用：SSLRequire</td></tr>
<tr><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>不再支持</td></tr>
<tr><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>不再支持</td></tr>
<tr class="header"><th colspan="3">Stronghold 2.x 兼容性:</th></tr>
<tr><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>被更名</td></tr>
<tr><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>被更名</td></tr>
<tr><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>不再支持</td></tr>
<tr><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>不再支持</td></tr>
<tr><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>不再支持</td></tr>
<tr><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>不再支持</td></tr>
<tr><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>不再支持</td></tr>
<tr class="odd"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>不再支持</td></tr>
</table>

</div><div class="top"><a href="ssl_compat.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="variables" id="variables">环境变量</a></h2>
<p>当使用&quot;<code>SSLOptions +CompatEnvVars</code>&quot;时，会产生附加的、对应于现存官方mod_ssl变量的环境变量。<a href="ssl_compat.html#table2">表2</a>列出了已实现的变量的演变。</p>

<h3><a name="table2" id="table2">表2: 环境变量的演变</a></h3>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA">
<tr class="header"><th>旧变量</th><th>mod_ssl 变量</th><th>说明</th></tr>
<tr><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>被更名</td></tr>
<tr><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>被更名</td></tr>
<tr><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>被更名</td></tr>
<tr><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>被更名</td></tr>
<tr><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>被更名</td></tr>
<tr><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>被更名</td></tr>
<tr class="odd"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr class="odd"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr class="odd"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr class="odd"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr class="odd"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr class="odd"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
<tr><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>mod_ssl不支持</td></tr>
</table>

</div><div class="top"><a href="ssl_compat.html#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="customlog" id="customlog">自定义日志功能</a></h2>
<p>
如果mod_ssl被静态编译进Apache或者被动态加载(以DSO方式)，则可以使用参考文档中说明的由<code class="module"><a href="../mod/mod_log_config.html">mod_log_config</a></code>提供的<a href="../mod/mod_log_config.html#formats">自定义日志格式</a>。但是为了向下兼容，不能使用用于扩展任何模块中任何变量的扩展格式&quot;<code>%{</code><em>varname</em><code>}x</code>&quot;和附加的密码格式&quot;<code>%{</code><em>name</em><code>}c</code>&quot;。<a href="ssl_compat.html#table3">表3</a>列出了已实现的格式。</p>

<h3><a name="table3" id="table3">表 3: 自定义日志加密格式</a></h3>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA">
<tr><th>Function Call</th><th>格式说明</th></tr>
<tr><td><code>%...{version}c</code></td><td>SSL协议版本</td></tr>
<tr><td><code>%...{cipher}c</code></td><td>SSL密码</td></tr>
<tr><td><code>%...{subjectdn}c</code></td><td>客户证书的 Subject Distinguished Name</td></tr>
<tr><td><code>%...{issuerdn}c</code></td><td>客户证书的 Issuer Distinguished Name</td></tr>
<tr><td><code>%...{errcode}c</code></td><td>客户证书的出错代码(数值)</td></tr>
<tr><td><code>%...{errstr}c</code></td><td>客户证书的出错信息(文字)</td></tr>
</table>

</div></div>
<div id="footer">
<p class="apache">本文允许自由的转载、引用、再分发，但必须保留译者署名并注明出处；详见：<a href="../translator_announcement.html#announcement">版权声明</a>。</p>
<p class="menu"><a href="../mod/index.html">模块索引</a> | <a href="../mod/directives.html">指令索引</a> | <a href="../faq/index.html">常见问题</a> | <a href="../glossary.html">词汇表</a> | <a href="../sitemap.html">站点导航</a></p></div>
</body></html>
